| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the NFC vulnerabilities affecting smartphones like the Samsung Galaxy Nexus and Nokia N9 was demonstrated by security researcher Charlie Miller at the Black Hat cybersecurity conference. This incident highlighted the security flaws in the NFC technology used in these devices, allowing for potential attacks by hackers [13312].
(b) The article mentions that Google, Apple, Visa, MasterCard, and other major players are also looking into NFC technology for mobile wallet solutions. This indicates that similar incidents could potentially occur with the adoption of NFC technology by other organizations as well, not just limited to Samsung and Nokia devices [13312]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the vulnerability discovered by security researcher Charlie Miller in the NFC features of Samsung and Nokia devices. Miller found vulnerabilities in the NFC features of the Samsung Galaxy Nexus and the Nokia N9 running MeeGo, which allowed him to take control of the devices by exploiting bugs in the system. The incident highlights how flaws in the design of the NFC technology could lead to security breaches and unauthorized access to devices [13312].
(b) The software failure incident related to the operation phase can be observed in the scenario where an attacker could exploit the default "content sharing" setting on the Nokia N9 to pair the phone with a second device and gain unauthorized access. This aspect of the incident demonstrates how the misuse or operation of the system, such as enabling certain settings, could create loopholes for attackers to exploit and compromise the device's security [13312]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident described in the article is primarily due to contributing factors that originate from within the system. Specifically, the failure was caused by a bug in the code snippet that allowed security researcher Charlie Miller to take control of an N9 phone by exploiting vulnerabilities in the NFC features of Samsung and Nokia devices [13312]. The bug in the code snippet enabled the attacker to completely take over an Android phone and exploit a browser bug to gain unlimited access to the device. Additionally, the vulnerability in the Nokia N9's default "content sharing" setting allowed an attacker to pair the phone with another device and exploit a loophole for unauthorized access [13312]. These issues highlight internal system weaknesses that were exploited by the attacker. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
The software failure incident in the article was primarily due to a bug in the code snippet that allowed security researcher Charlie Miller to take control of an N9 phone. This bug was exploited by merely brushing a tag with an embedded NFC chip against the Android phone, triggering a browser bug that opened the gate for unlimited access to everything on the phone [13312].
(b) The software failure incident occurring due to human actions:
The vulnerabilities exploited by Charlie Miller were discovered in the "near field communications" features on Samsung and Nokia devices. These vulnerabilities were a result of flaws in the implementation of NFC technology on the devices, which allowed for potential attacks by manipulating NFC signals and tags. Additionally, Miller's demonstration highlighted the potential risks associated with NFC technology being used for content sharing and mobile wallet applications without proper security measures in place [13312]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The article mentions a bug that allowed security researcher Charlie Miller to take control of an N9 phone, which is a hardware-related vulnerability [13312].
(b) The software failure incident related to software:
- The article discusses vulnerabilities in the NFC features on Samsung and Nokia devices, specifically related to Android Beam and browser bugs that allowed unlimited access to the phone's content. These vulnerabilities are software-related [13312]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the article is malicious in nature. Security researcher Charlie Miller demonstrated vulnerabilities in the near field communications (NFC) features on Samsung and Nokia devices that could be exploited by hackers to take control of the phones. Miller was able to completely take over an Android phone and a Nokia N9 by exploiting bugs in the NFC technology, allowing for unlimited access to the devices. He highlighted the potential risks associated with NFC technology being used for malicious purposes, such as sending unwanted spam or transmitting data to devices without user consent [13312]. |
| Intent (Poor/Accidental Decisions) |
accidental_decisions |
(a) The intent of the software failure incident was not due to poor decisions but rather accidental decisions. The incident involving security researcher Charlie Miller taking control of an N9 phone through a bug in the NFC feature was described as almost accidental. Miller's tag exploit was an accidental discovery after months of fuzzing NFC systems, and he was surprised by the extent of manipulation the tag loophole allowed. He emphasized the need for phone makers to rethink their approach to frictionless sharing and suggested that devices should ask permission before accepting data from unfamiliar devices or NFC tags nearby [13312]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident in the article can be attributed to development incompetence. Security researcher Charlie Miller was able to take control of an N9 phone by exploiting vulnerabilities in the NFC features on Samsung and Nokia devices. Miller discovered bugs in the Android Beam feature on the Samsung Galaxy Nexus and a loophole in the content sharing setting on the Nokia N9, allowing him to gain unlimited access to the phones [13312].
(b) The software failure incident can also be considered accidental as Miller's tag exploit, which led to the discovery of vulnerabilities in NFC systems, was almost accidental. Despite months of fuzzing NFC systems to find bugs, the tag loophole allowed for much more manipulation than expected, indicating an accidental discovery of a significant vulnerability [13312]. |
| Duration |
temporary |
(a) The software failure incident described in the article is more of a temporary nature. The vulnerabilities discovered by security researcher Charlie Miller in the NFC features of Samsung and Nokia devices were specific to certain circumstances and factors. For example, the Android attack exploit was based on a bug that Google had already patched, and the Nokia N9 running MeeGo had a default setting that, when enabled, allowed for the loophole to pair the phone with a second device. Additionally, the article mentions that NFC signals have a tiny range, requiring attackers to be in very close proximity to successfully transmit malicious data, indicating that the potential for exploitation was limited to specific situations [13312]. |
| Behaviour |
value, other |
(a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions. Instead, the incident involves vulnerabilities in the NFC features of Samsung and Nokia devices that allowed a security researcher to take control of the devices [13312].
(b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the vulnerabilities discovered by the security researcher allowed for unauthorized access and control of the devices, rather than the system failing to perform its functions [13312].
(c) timing: The incident does not involve the system performing its intended functions correctly, but too late or too early. The vulnerabilities exploited by the security researcher were related to the NFC features of the devices, allowing for unauthorized access and control, rather than a timing issue [13312].
(d) value: The software failure incident does involve the system performing its intended functions incorrectly. The vulnerabilities in the NFC features of the Samsung and Nokia devices allowed for unauthorized access and control, which is not the intended behavior of the devices [13312].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. The vulnerabilities discovered by the security researcher allowed for a specific type of attack that granted unauthorized access and control over the devices, rather than exhibiting inconsistent responses or interactions [13312].
(f) other: The behavior of the software failure incident can be categorized as a security vulnerability exploit. The incident involved the exploitation of vulnerabilities in the NFC features of Samsung and Nokia devices, allowing for unauthorized access and control by a security researcher. This behavior falls under the category of security vulnerability exploitation rather than the options (a) to (e) provided [13312]. |